Resources / Command-and-control Malware Traffic Playbook

Command-and-control Malware Traffic Playbook

May 31, 2016January 2, 2018 |

Introduction

Malicious actors operate command-and-control (C&C/C2) servers to interact with their victims’ computers. These C2 servers are intended to instruct the compromised PCs to do undesired things, such as stealing the user’s passwords, encrypting the files for ransom or attacking other computers on the network.

One of the major threats today, ransomware (Cryptolocker, Locky, Petya), also relies on C2 services for generating and storing the file encryption/decryption keys. Similarly, banking Trojans (Zeus, Dridex, Shifu) also use remote servers to collect personal and financial data from their victims.

For keeping the communication between the compromised assets and the C2 server under the radar, a covert channel needs to be established. Although different protocols can be used (e.g. IRC, DNS, ICMP), the most common one is HTTP(S). Web-based C2 channels, disguised as a browsing activity, can nicely blend into the general HTTP traffic on any infrastructure.

Because the mere presence of a covert channel is a tell-tale sign of a compromise, it makes C2 traffic an ideal candidate for identifying any affected PC. This article gives an overview of the C2 traffic identification techniques first, then discusses the common remediation strategies powered by playbooks.

Identifying C2 Traffic

Luckily, the covert channel between the C2 server and the compromised device leaves traces all over the infrastructure. Therefore, we can analyse multiple sources of information for discovering C2 traffic patterns, such as:

HTTP Proxy logs

DNS query logs

Firewall logs

Netflow logs

Endpoint telemetry data

Indexed full packet capture

Also, the standard signature-based network IDS/IPS can also help us with the finding suspicious connections.

To pinpoint compromised devices on the infrastructure, we need to correlate the sea of data with known indicators of C2 activity. These indicators can originate from:

Also, third-parties can also notify us of the covert channels in extreme cases:

Internet Service Provider

Botnet sinkholes

Your C2 Playbook

Once a C2 activity is spotted on your network, the relevant playbook should roll into action. Bear in mind, however, that covert channels can exist for two good reasons: it either belongs to a commodity malware, or you have an adversary (i.e. hacker) on your network. Therefore, two separate playbooks should be written for managing the two different scenarios.

Your playbook for managing commodity malware should focus on the rapid eradication of the threat. Quick action minimises the risk of your data being encrypted on the network shares by ransomware, or passwords stolen from the users by information stealing malware. Therefore, the primary goal of the playbook is taking the infected PCs offline as soon as possible – one by one – for wiping. Refer to our playbook from earlier on handling ransomware infections.

On the other hand, a different approach is appropriate if a human is moving around on the network. If the compromised computers were taken offline one by one, the malicious actor might fight back by changing its Tactics, Techniques, and Procedures (TTPs). This could prevent us from eradicating the threat, and turn the remediation efforts into a whack-a-mole game. Therefore, assets must be disconnected at the very same time to get rid of the attacker.

Both playbooks should cover additional activities, however. First of all, we must investigate how “patient zero” was compromised in the first place. Information on the initial attack vector could help us preventing further infections by blocking the related malicious URLs, IPs or emails on the perimeter. Secondly, incident handlers should be pivoting on the initial indicators of the C2 traffic to find other compromised devices across the infrastructure.

If you managed to pivot on all IPs and did not find any further compromised devices, resolve incident

Update the shift log with a brief summary of the actions taken

If anything unusual happened during the incident, bring it up to the weekly post-mortem meeting

Summary

Malicious activity typically involves some form of covert communication with a remote host on the Internet. Logs, network sensors, or telemetry data should capture the metadata of these connections. We should rely on external data feeds, internal tools, malware analysis, and third-parties for identifying the C2 traffic. Once a compromised device is discovered, we determine the mitigation strategy first and run the corresponding playbook afterwards. All affected computers should be identified, then taken offline to eradicate the threat from the infrastructure.

We use cookies to understand how you use our site and to improve your experience. This includes personalizing content and resources. By continuing to use our site, you accept our use of cookies. Learn more.